yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1747082] Re: OVS-FIREWALL - can't create Loadbalancer when firewall_driver = openvswitch

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1747082@xxxxxxxxxxxxxxxxxx>
Date: Sat, 17 Mar 2018 00:38:21 -0000
Reply-to: Bug 1747082 <1747082@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/550421
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=3327db80be22650144342d1cc7e2c1b3e04a57ca
Submitter: Zuul
Branch:    master

commit 3327db80be22650144342d1cc7e2c1b3e04a57ca
Author: Jakub Libosvar <libosvar@xxxxxxxxxx>
Date:   Fri Mar 9 14:25:23 2018 +0000

    ovs-fw: Clear conntrack information before egress pipeline
    
    In case where Neutron logical port is placed directly to hypervisor,
    hypervisor does a conntrack lookup before packets reach OVS integration
    bridge. This patch introduces a rule with high priority that is placed
    at the beginning of the egress pipeline. This rule removes conntrack
    information from all packets if conntrack information is present. Then
    packets continue in the egress pipeline.
    
    That means all packets in egress pipeline are not tracked and ovs
    firewall can do a lookup in correct zone. As for ingress pipeline, it
    distinguishes between tracked - which are packets coming from egress
    pipeline, and not tracked, which are inbound packets coming not from a
    local port.
    
    Change-Id: Ia4f524adce2b5ee6d98d3921cfb03d56ad6d0813
    Closes-bug: #1747082


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1747082

Title:
  OVS-FIREWALL - can't create Loadbalancer when firewall_driver =
  openvswitch

Status in neutron:
  Fix Released

Bug description:
  
  steps to reproduce: 
  =====================

  A. Download the following local.conf file
  :https://github.com/openstack/octavia/blob/master/devstack/samples/singlenode/local.conf

  B. Add the following at end of above file  (set ML2 firewall_driver to
  OVS)

  [[post-config|/$Q_PLUGIN_CONF_FILE]]
  [securitygroup]
  firewall_driver = openvswitch

  C. Deploy devstack

  D. Create LoadBalancer:

    openstack loadbalancer create --vip-subnet-id private-subnet --name
  tst_lb

  
   
  Observations :
  ==============

  A. Loadbalancer is stuck in ‘Provisioning_status’ = 'PENDING_UPDATE'.

  B. Disable port security of Amaphora's 'lb-mgmt-net' port - solved the
  problem

  C. Based on Octavia's experts  feedback [1] , seems like the  bug is
  solely in ovs-firewall .

  “The issue is that one port is placed directly at the hypervisor while
  ovs firewall works with VM ports only”

  
  [1] - https://storyboard.openstack.org/#!/story/2001426

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1747082/+subscriptions

References

[Bug 1747082] [NEW] OVS-FIREWALL - can't create Loadbalancer when firewall_driver = openvswitch
From: Yossi Boaron, 2018-02-02